Whitelist Auth0 IPs by default; DB migration; show Auth0 IPs on admin

WP_Auth0.php

@@ -9,7 +9,7 @@
  */
 
 define( 'WPA0_VERSION', '3.8.1' );
-define( 'AUTH0_DB_VERSION', 19 );
+define( 'AUTH0_DB_VERSION', 20 );
 
 define( 'WPA0_PLUGIN_FILE', __FILE__ );
 define( 'WPA0_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );

lib/WP_Auth0_DBManager.php

@@ -64,7 +64,7 @@ public function install_db( $version_to_install = null, $app_token = '' ) {
 			}
 		}
 
-		if ( $this->current_db_version < 9 ) {
+		if ( ( $this->current_db_version < 9 && 0 !== $this->current_db_version ) || 9 === $version_to_install ) {
 			$this->migrate_users_data();
 		}
 
@@ -81,17 +81,6 @@ public function install_db( $version_to_install = null, $app_token = '' ) {
 			}
 		}
 
-		if ( $this->current_db_version < 13 ) {
-			$ips    = $options->get( 'migration_ips' );
-			$oldips = '138.91.154.99,54.221.228.15,54.183.64.135,54.67.77.38,54.67.15.170,54.183.204.205,54.173.21.107,54.85.173.28';
-
-			$ipCheck = new WP_Auth0_Ip_Check( $options );
-
-			if ( $ips === $oldips ) {
-				$options->set( 'migration_ips', $ipCheck->get_ip_by_region( 'us' ) );
-			}
-		}
-
 		if ( $this->current_db_version < 14 && is_null( $options->get( 'client_secret_b64_encoded' ) ) ) {
 			if ( $options->get( 'client_id' ) ) {
 				$options->set( 'client_secret_b64_encoded', true );
@@ -302,6 +291,20 @@ public function install_db( $version_to_install = null, $app_token = '' ) {
 			}
 		}
 
+		// 3.9.0
+		if ( ( $this->current_db_version < 20 && 0 !== $this->current_db_version ) || 20 === $version_to_install ) {
+
+			// Remove default IP addresses from saved field.
+			$migration_ips = trim( $options->get( 'migration_ips' ) );
+			if ( $migration_ips ) {
+				$migration_ips = array_map( 'trim', explode( ',', $migration_ips ) );
+				$ip_check      = new WP_Auth0_Ip_Check( $options );
+				$default_ips   = explode( ',', $ip_check->get_ips_by_domain() );
+				$custom_ips    = array_diff( $migration_ips, $default_ips );
+				$options->set( 'migration_ips', implode( ',', $custom_ips ) );
+			}
+		}
+
 		$this->current_db_version = AUTH0_DB_VERSION;
 		update_option( 'auth0_db_version', AUTH0_DB_VERSION );
 

lib/WP_Auth0_Ip_Check.php

@@ -1,6 +1,20 @@
 <?php
+/**
+ * Contains class WP_Auth0_Ip_Check.
+ *
+ * @package WP-Auth0
+ *
+ * @since 1.2.1
+ */
+
+/**
+ * Class WP_Auth0_Ip_Check.
+ * Used for checking IP addresses against whitelists and default Auth0 IPs.
+ */
 class WP_Auth0_Ip_Check {
 
+	const IP_STRING_GLUE = ',';
+
 	/**
 	 * IP addresses for inbound connections per region.
 	 * The list of IP addresses may be found at the footer section of the Custom Database Editor and the header for
@@ -73,7 +87,7 @@ class WP_Auth0_Ip_Check {
 	/**
 	 * WP_Auth0_Ip_Check constructor.
 	 *
-	 * @param WP_Auth0_Options|null $a0_options
+	 * @param WP_Auth0_Options|null $a0_options WP_Auth0_Options instance.
 	 */
 	public function __construct( WP_Auth0_Options $a0_options = null ) {
 		$this->a0_options = $a0_options;
@@ -83,40 +97,56 @@ public function __construct( WP_Auth0_Options $a0_options = null ) {
 	 * Get regional inbound IP addresses based on a domain.
 	 *
 	 * @param string $domain - Tenant domain.
+	 * @param string $glue   - String used to implode arrays.
 	 *
 	 * @return string
 	 */
-	public function get_ips_by_domain( $domain ) {
-		return $this->get_ip_by_region( WP_Auth0::get_tenant_region( $domain ) );
+	public function get_ips_by_domain( $domain = null, $glue = self::IP_STRING_GLUE ) {
+		if ( empty( $domain ) ) {
+			$domain = $this->a0_options->get( 'domain' );
+		}
+		$region = WP_Auth0::get_tenant_region( $domain );
+		return $this->get_ip_by_region( $region, $glue );
 	}
 
 	/**
 	 * Get regional inbound IP addresses based on a region.
 	 *
 	 * @param string $region - Tenant region.
+	 * @param string $glue   - String used to implode arrays.
 	 *
 	 * @return string
 	 */
-	public function get_ip_by_region( $region ) {
-		return implode( ',', $this->valid_webtask_ips[ $region ] );
+	public function get_ip_by_region( $region, $glue = self::IP_STRING_GLUE ) {
+		return implode( $glue, $this->valid_webtask_ips[ $region ] );
 	}
 
+	/**
+	 * Get the IP address of the incoming connection.
+	 *
+	 * @return string
+	 */
 	protected function get_request_ip() {
 		$valid_proxy_ip = $this->a0_options->get( 'valid_proxy_ip' );
 
 		if ( $valid_proxy_ip ) {
 			if ( $_SERVER['REMOTE_ADDR'] == $valid_proxy_ip ) {
 				return $_SERVER['HTTP_X_FORWARDED_FOR'];
 			}
-		} else {
-			return $_SERVER['REMOTE_ADDR'];
 		}
 
-		return null;
+		return $_SERVER['REMOTE_ADDR'];
 	}
 
+	/**
+	 * Process an array or concatenated string of IP addresses into ranges.
+	 *
+	 * @param array|string $ip_list - IP list to process.
+	 *
+	 * @return array
+	 */
 	protected function process_ip_list( $ip_list ) {
-		$raw = explode( ',', $ip_list );
+		$raw = is_array( $ip_list ) ? $ip_list : explode( self::IP_STRING_GLUE, $ip_list );
 
 		$ranges = array();
 		foreach ( $raw as $r ) {
@@ -137,21 +167,51 @@ protected function process_ip_list( $ip_list ) {
 		return $ranges;
 	}
 
-	public function connection_is_valid( $valid_ips ) {
-		$ip              = $this->get_request_ip();
-		$valid_ip_ranges = $this->process_ip_list( $valid_ips );
+	/**
+	 * Check incoming IP address against default Auth0 and custom ones.
+	 *
+	 * @param string $valid_ips - String of comma-separated IP addresses to allow.
+	 *
+	 * @return bool
+	 */
+	public function connection_is_valid( $valid_ips = '' ) {
+		$valid_ips   = explode( self::IP_STRING_GLUE, $valid_ips );
+		$default_ips = explode( self::IP_STRING_GLUE, $this->get_ips_by_domain() );
+		$allowed_ips = array_merge( $valid_ips, $default_ips );
+		$allowed_ips = array_unique( $allowed_ips );
 
-		foreach ( $valid_ip_ranges as $range ) {
-			$in_range = $this->in_range( $ip, $range );
-			if ( $in_range ) {
+		foreach ( $this->process_ip_list( $allowed_ips ) as $range ) {
+			if ( $this->in_range( $this->get_request_ip(), $range ) ) {
 				return true;
 			}
 		}
 
 		return false;
 	}
 
+	/**
+	 * Check if an IP address is within a range.
+	 *
+	 * @param string $ip - IP address to check.
+	 * @param array  $range - IP range to use.
+	 *
+	 * @return bool
+	 */
+	private function in_range( $ip, array $range ) {
+		$from = ip2long( $range['from'] );
+		$to   = ip2long( $range['to'] );
+		$ip   = ip2long( $ip );
+
+		return $ip >= $from && $ip <= $to;
+	}
+
+	// phpcs:disable
 
+	/**
+	 * TODO: Deprecate, not used. Also remove related setting.
+	 *
+	 * @codeCoverageIgnore
+	 */
 	public function init() {
 		if ( ! WP_Auth0_Options::Instance()->get( 'ip_range_check' ) || is_admin() ) {
 			return;
@@ -160,6 +220,11 @@ public function init() {
 		add_filter( 'wp_auth0_get_option', array( $this, 'check_activate' ), 10, 2 );
 	}
 
+	/**
+	 * TODO: Deprecate, not used.
+	 *
+	 * @codeCoverageIgnore
+	 */
 	public function check_activate( $val, $key ) {
 		if ( 'active' !== $key ) {
 			return $val;
@@ -168,6 +233,11 @@ public function check_activate( $val, $key ) {
 		return $is_active;
 	}
 
+	/**
+	 * TODO: Deprecate, not used.
+	 *
+	 * @codeCoverageIgnore
+	 */
 	private function validate_ip() {
 		$ranges = $this->get_ranges();
 		$ip     = $_SERVER['REMOTE_ADDR'];
@@ -182,14 +252,11 @@ private function validate_ip() {
 		return false;
 	}
 
-	private function in_range( $ip, $range ) {
-		$from = ip2long( $range['from'] );
-		$to   = ip2long( $range['to'] );
-		$ip   = ip2long( $ip );
-
-		return $ip >= $from && $ip <= $to;
-	}
-
+	/**
+	 * TODO: Deprecate, not used. Also remove related setting.
+	 *
+	 * @codeCoverageIgnore
+	 */
 	private function get_ranges() {
 		$data = WP_Auth0_Options::Instance()->get( 'ip_ranges' );
 		$data = str_replace( "\r\n", "\n", $data );
@@ -215,4 +282,6 @@ private function get_ranges() {
 
 		return $ranges;
 	}
+
+	// phpcs:enable
 }

lib/WP_Auth0_Options_Generic.php

@@ -199,6 +199,15 @@ public function delete() {
 		return delete_option( $this->_options_name );
 	}
 
+	/**
+	 * Reset options to defaults.
+	 */
+	public function reset() {
+		$this->_opts = null;
+		$this->delete();
+		$this->get_options();
+	}
+
 	/**
 	 * Return default options as key => value or just keys.
 	 *

lib/admin/WP_Auth0_Admin_Advanced.php

@@ -105,7 +105,7 @@ public function init() {
 				'function' => 'render_migration_ws_ips_filter',
 			),
 			array(
-				'name'     => __( 'IP Addresses', 'wp-auth0' ),
+				'name'     => '',
 				'opt'      => 'migration_ips',
 				'id'       => 'wpa0_migration_ws_ips',
 				'function' => 'render_migration_ws_ips',
@@ -419,10 +419,13 @@ public function render_migration_ws_ips_filter( $args = array() ) {
 	 * @see add_settings_field()
 	 */
 	public function render_migration_ws_ips( $args = array() ) {
+		$ip_check = new WP_Auth0_Ip_Check( WP_Auth0_Options::Instance() );
 		$this->render_textarea_field( $args['label_for'], $args['opt_name'] );
 		$this->render_field_description(
-			__( 'Only requests from these IPs will be allowed to access the migration webservice. ', 'wp-auth0' ) .
-			__( 'Separate multiple IPs with commas', 'wp-auth0' )
+			__( 'Only requests from these IPs will be allowed to access the migration endpoints. ', 'wp-auth0' ) .
+			__( 'Separate multiple IPs with commas. ', 'wp-auth0' ) .
+			__( 'The following Auth0 IPs are automatically whitelisted: ', 'wp-auth0' ) .
+			'<br><br><code>' . $ip_check->get_ips_by_domain( null, '</code> <code>' ) . '</code>'
 		);
 	}
 

lib/admin/WP_Auth0_Admin_Generic.php

@@ -231,7 +231,8 @@ protected function render_radio_buttons( array $buttons, $id, $input_name, $curr
 	 * @param string $text - description text to display
 	 */
 	protected function render_field_description( $text ) {
-		printf( '<div class="subelement"><span class="description">%s.</span></div>', $text );
+		$period = ! in_array( $text[ strlen( $text ) - 1 ], array( '.', ':', '>' ) ) ? '.' : '';
+		printf( '<div class="subelement"><span class="description">%s%s</span></div>', $text, $period );
 	}
 
 	/**